Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 19:17

General

  • Target

    a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe

  • Size

    3.5MB

  • MD5

    c01e9d2a0ac1240ddde0bade9b4223ce

  • SHA1

    fcffd492d70c3eba6064a40db995d69436161b81

  • SHA256

    a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83

  • SHA512

    4dd5defafe8778d17ce22b0a51e40642bf40936754f3f953f04beeb84d3ecf5dd8133ba250fca0a96bf331b97aed32f2d4f309666ce81a57a030c312154e94af

Malware Config

Signatures

  • StrongPity

    StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

  • StrongPity Spyware 4 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe
    "C:\Users\Admin\AppData\Local\Temp\a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\wrar561.exe
      "C:\Users\Admin\AppData\Local\Temp\wrar561.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1880
    • C:\Windows\SysWOW64\svchosts32.exe
      C:\Windows\system32\\svchosts32.exe help
      2⤵
      • Executes dropped EXE
      PID:608
  • C:\Windows\SysWOW64\svchosts32.exe
    C:\Windows\SysWOW64\svchosts32.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\SysWOW64\spoolcl.exe
      "C:\Windows\system32\\spoolcl.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml
        "C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"
        3⤵
        • Executes dropped EXE
        PID:1900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1880-59-0x0000000076001000-0x0000000076003000-memory.dmp

    Filesize

    8KB